00. Person on the U.S Secret Service Most Wanted Cybercriminals Identified Runs a 
Black Energy DDoS Botnet - An OSINT Analysis 


01. Introduction to WHOIS XML API 


WhoisXML API is one of the Web’s and the security industry’s primary destinations for threat 
intelligence and cybercrime research including OSINT type of domain IP and current and 
historical WHOIS data records with billions of domain IP and WHOIS records within WhoisXML 
API’s database where novice and experienced cybercrime researchers threat intelligence 
analysts including OSINT experts and analysts should consider adopting WhoisXML API's in 
their arsenal of OSINT tools and public database repositories and databases largely considering 
the tool as their primary information source and threat intelligence gathering tool and publicly 
accessible database in terms of using it in their current and ongoing OSINT and cybercrime 
including threat intelligence type of investigations. 


02. How to get a proper account 


Cybercrime researchers and threat intelligence analysts interested in obtaining access to one of 
the Web’s and the industry’s most comprehensive and in-depth data set of real-time and 
historical domain IP and WHOIS information should grab an account from the following URL - 
httos://main.whoisxmlapi.com/signup for the purpose of beginning their OSINT and cybercrime 
research including their threat hunting and threat intelligence gathering process. 


Product Tier 1 Tier 2 Tier 3 Tier 4 Tier 5 Tier 6 Units 

WHOIS and Bulk WHOIS 100,000 500,000 1,000,000 2,000,000 5,000,000 10,000,000 Monthly queries 
Domain Availability 100,000 500,000 1,000,000 2,000,000 5,000,000 10,000,000 Monthly queries 
IP Geolocation 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
IP Netblocks 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
DNS Lookup 100,000 200,000 500,000 1,000,000 2,000,000 4,000,000 Monthly queries 
Email Verification 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
Domain Reputation 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
Website Categorization 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 
Website Contacts 50,000 100,000 200,000 500,000 1,000,000 2,000,000 Monthly queries 


Sample WhoisXML API Pricing Plans Web Site 


03. How to install Maltego 


For the purpose of this case study we’ll use the popular OSINT gathering and enrichment tool 

Maltego which you can grab from the following URL - https://www.maltego.com/downloads/ on 
your way to begin using and utilizing WhoisXML API’s advanced domain IP and historical and 

current WHOIS information and one of the Web’s and the industry’s most comprehensive and 

in-depth database. 
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You can view our change loghere > 
Java 11 64 bit is recommended. 
Sample Maltego Download Web Site 
04. How to use the WHOIS XML API Maltego Integration 


Before using Maltego users should follow the instructions and grab a proper WhoisXML API 
account which they can later one use for the actual research and OSINT research and analysis 
including the actual enrichment process. 
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05. The Case Study 


We've decided to dig a little bit deeper inside the the U.S Secret Service Most Wanted 
Cybercriminals list and we’ve managed to find personally identifiable information on one of the 
most wanted cybercriminals Oleksandr Vitalyevich leremenko and managed to connect one of 
his major Web properties with a currently active BlackEnergy DDoS botnet for hire service and 
we've decided to provide actionable threat intelligence and personally identifiable information on 
its Internet-connected infrastructure with the idea to assist U.S Law Enforcement on its way to 
track down and prosecute the cybercriminals behind these campaigns. 


In this analysis we'll provide personally identifiable information on Oleksandr Vitalyevich 
leremenko and one of his Web properties which is basically a BlackEnergy DDoS for hire botnet 
C&C server domain with the idea to assist the security community and U.S Law Enforcement on 
its way to track down and prosecute the cybercriminals behind these campaigns. 
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dns2.yandex.net dns1.yandex.net 


POST /black_energy_31337_/stat.php 
HTTP/1.1 

Content-Type: application/x-www- 
form-urlencoded 

User-Agent: Mozilla/4.0 (compatible; 
MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 1.1.4322) 

Host: kOx.ru 

Content-Length: 44 

Cache-Control: no-cache 


id=xCASPER-5D225B80_ 
E8401F1Dé&build_id=6DE983 


Personally Identifiable Information: 
Primary Web site URL: hxxp://kOx.ru 


ICQ: 123424 


Personal Email: lamarez@mail.ru; uaxakep@gmail.com 


We'll continue monitoring the campaign and post updates as soon as new developments take 
place. 


